The present invention relates to sensors having a memory. It will be described in particular with respect to pulse oximeter sensors, but is equally applicable to other types of sensors as well.
Pulse Oximetry
Pulse oximetry is typically used to measure various blood flow characteristics including, but not limited to, the blood-oxygen saturation of hemoglobin in arterial blood, and the rate of blood pulsations corresponding to a heart rate of a patient. Measurement of these characteristics has been accomplished by use of a non-invasive sensor which passes light through a portion of the patient""s tissue where blood perfuses the tissue, and photoelectrically senses the absorption of light in such tissue. A monitor, connected to the sensor, determines the amount of light absorbed and calculates the amount of blood constituent being measured, for example, arterial oxygen saturation.
The light passed through the tissue is selected to be of one or more wavelengths that are absorbed by the blood in an amount representative of the amount of the blood constituent present in the blood. The amount of transmitted or reflected light passed through the tissue will vary in accordance with the changing amount of blood constituent in the tissue and the related light absorption. For measuring blood oxygen level, such sensors have been provided with light sources and photodetectors that are adapted to operate at two different wavelengths, in accordance with known techniques for measuring blood oxygen saturation.
Various methods have been proposed in the past for coding information in sensors, including pulse oximeter sensors, to convey useful information to a monitor. For example, an encoding mechanism is shown in Nellcor U.S. Pat. No. 4,700,708, the disclosure of which is hereby incorporated by reference. This mechanism relates to an optical oximeter probe which uses a pair of light emitting diodes (LEDs) to direct light through blood-perfused tissue, with a detector detecting light which has not been absorbed by the tissue. Oxygen saturation calculation accuracy depends upon knowing the wavelengths of the LEDs. Since the wavelengths of LEDs can vary, a coding resistor is placed in the probe with the value of the resistor indicating to the monitor the oximeter oxygen saturation calculation coefficients appropriate for the actual wavelengths of at least one of the LEDs or the LED wavelength combination for the sensor. When the oximeter instrument is turned on, it first applies a current to the coding resistor and measures the voltage to determine the value of the resistor and thus appropriate saturation calculation coefficients to use for the wavelengths of the LEDs in the probe.
Other coding mechanisms have also been proposed in U.S. Pat. Nos. 5,259,381; 4,942,877; 4,446,715; 3,790,910; 4,303,984; 4,621,643; 5,246,003; 3,720,177; 4,684,245; 5,645,059; 5,058,588; 4,858,615; and 4,942,877, the disclosures of which are all hereby incorporated by reference. The ""877 patent in particular discloses storing a variety of data in a pulse oximetry sensor memory, including coefficients for a saturation equation for oximetry.
A problem with prior art sensor coding techniques is that information encoding may sometimes be inaccurate and/or not authentic. This results in the monitor sometimes not being able to obtain adequate readings from a patient, or worse yet making inaccurate calculations, such that in extreme instances the inaccurate codes and resulting inadequate readings might significantly impair patient safety and contribute to bad patient outcomes. Inaccurate codes can result under a variety of circumstances. For example, errors can occur during a manufacturing process or during shipment of the sensor. More common, however, is that inaccurate codes are somewhat purposely used by discount low quality third party sensor manufacturers who are not licensed or authorized by the corresponding monitor manufacturer to supply compatible high quality sensors. These third parties often invest minimal amounts in research and simply do not understand what the codes are for since they do not understand how the monitor works or how the monitor uses the codes. Since they are not licensed by the monitor manufacturer, this information is generally not available from the monitor manufacturer. All too often, these third parties choose not to invest time and expense to learn by reverse engineering techniques or original science how the monitors work and how the codes are used to ensure patient safety. Rather, numerous instances exist where such third parties simply examine a range of code values used in the market for each data characteristic being encoded, and take an average code value for all their sensors so as to be xe2x80x9ccompatiblexe2x80x9d with a particular monitor. Though in many instances using an average code value will simply result in readings being out of specification but not otherwise particularly dangerous, the average code value may be sufficiently wrong to introduce significant errors into the computation algorithms used by the monitor and to cause significant patient safety problems. In addition, whenever third party inaccurate codes contribute to a bad patient outcome, the harmed patient, or his or her heirs, can attempt to hold the monitor manufacturer, together with the direct caregivers, responsible. If the caregivers have not retained the low quality third party sensor used and made no record of its use, which happens, it would be difficult for the monitor manufacturer to establish that the problem was caused by use of the low quality third party sensor with its otherwise high quality monitor.
Another reason that there is a need for authentication of digital data stored in association with medical sensors is the small but real possibility that data will be corrupted between the time of recording in the factory and the time of reading by the instrument which is monitoring the condition of a patient. One often-cited example of a mechanism which may cause such corruption is the changing of a value recorded in digital memory by the incidence of an energetic cosmic ray. A more ordinary source of corruption is damage to a memory cell caused by electrostatic discharge.
Accordingly, a need exists in the art to devise a way to communicate accurate and authentic complex codes from a sensor to a monitor to ensure accurate computations and accurate patient monitoring by the monitor.
Accordingly, it is an object of the invention to provide a sensor which has codes useful for a monitor which can be authenticated as accurate.
This and other objects are achieved by a sensor which produces a signal corresponding to a measured physiological characteristic of a patient and which provides codes which can be assured of being accurate and authentic when used by a monitor. A memory associated with the sensor stores the codes and other data relating to the sensor, the memory also containing a digital signature. The digital signature authenticates the quality of the codes and data by ensuring it was generated by an entity having predetermined quality controls, and ensures the codes are accurate.
In one embodiment, the digital signature is produced during the sensor manufacturing process using a private key of a private key and public key pair, with the signature then being verifiable with the public key embedded in processors in an external sensor reader (e.g., monitor). The signature can be separate from the data. Or, instead of the signature being appended to the data, the signature itself can contain all or at least some of the data and thus provides a level of masking of the data.
According to one embodiment of the invention, any one of several known public/private key signature methods can be used. These include Diffie-Hellman (and its variants, such as the Digital Signature Standard from the National Institute of Standards and Technology, El Gamal and the elliptic curve approaches), RSA (developed at the Massachusetts Institute of Technology), and Rabin-Williams.
In a further embodiment of the invention, a digest of a portion of the data to be signed is included in the signature to verify that errors in the data have not occurred. Each piece of data preferably is organized to include a field ID, indicating the type of data to follow, followed by a data length element, followed by the piece of data. A mandatory bit is also preferably provided indicating whether knowledge of how to use the piece of data by the monitor is mandatory for operation of the sensor with the monitor. Thus, an older monitor which does not recognize a non-critical piece of data can simply disregard it, since presumably it will not implement the enhanced feature which corresponds to the piece of data. However, if the piece of data is necessary for proper operation of a sensor, the mandatory bit will be set, and the sensor reader/monitor will indicate that it cannot use the particular sensor that has been plugged in.
In yet another embodiment, the signed data stored with the sensor would include at least a sensor dependent saturation calibration curve coefficient used to calculate oxygen saturation by a monitor. Additionally, the data may include sensor OFF thresholds and thermistor calibration coefficients appropriate for sensors including a thermistor. Some of such data may be included within the signature, and this or other data could be included outside the signature. The data outside the signature could be encrypted (or masked), if desired, with a symmetric key cryptographic algorithm, for example the Data Encryption Standard (DES) from NIST, and the symmetric key could be included in the signature. Alternatively, the symmetric key could be derivable from the digest, which is contained within the signature.